COMMAND
Cisco
SYSTEMS AFFECTED
Cisco
PROBLEM
Following is based on a Cisco Security Advisory. Cisco IOS
software contains a flaw that permits the successful prediction
of TCP Initial Sequence Numbers. This vulnerability is present
in all released versions of Cisco IOS software running on Cisco
routers and switches. It only affects the security of TCP
connections that originate or terminate on the affected Cisco
device itself; it does not apply to TCP traffic forwarded through
the affected device in transit between two other hosts. To remove
the vulnerability, Cisco is offering free software upgrades for
all affected platforms. The defect is described in DDTS record
CSCds04747.
The vulnerability is present in all Cisco routers and switches
running affected releases of Cisco IOS Software.
To provide reliable delivery in the Internet, the Transmission
Control Protocol (TCP) makes use of a sequence number in each
packet to provide orderly reassembly of data after arrival, and
to notify the sending host of the successful arrival of the data
in each packet. TCP sequence numbers are 32-bit integers in the
circular range of 0 to 4,294,967,295. The host devices at both
ends of a TCP connection exchange an Initial Sequence Number
(ISN) selected at random from that range as part of the setup of
a new TCP connection. After the session is established and data
transfer begins, the sequence number is regularly augmented by
the number of octets transferred, and transmitted to the other
host. To prevent the receipt and reassembly of duplicate or late
packets in a TCP stream, each host maintains a "window", a range
of values close to the expected sequence number, in which the
sequence number in an arriving packet must fall if it is to be
accepted. Assuming a packet arrives with the correct source and
destination IP addresses, source and destination port numbers,
and a sequence number within the allowable window, the receiving
host will accept the packet as genuine.
This method provides reasonably good protection against accidental
receipt of unintended data. However, to guard against malicious
use, it should not be possible for an attacker to infer a
particular number in the sequence. If the initial sequence number
is not chosen randomly or if it is incremented in a non-random
manner between the initialization of subsequent TCP sessions,
then it is possible, with varying degrees of success, to forge
one half of a TCP connection with another host in order to gain
access to that host, or hijack an existing connection between two
hosts in order to compromise the contents of the TCP connection.
To guard against such compromises, ISNs should be generated as
randomly as possible.
This defect, documented as DDTS CSCds04747, has been corrected by
providing an improved method for generating TCP Initial Sequence
Numbers.
Forged packets can be injected into a network from a location
outside its boundary so that they are trusted as authentic by the
receiving host, thus resulting in a failure of integrity. Such
packets could be crafted to gain access or make some other
modification to the receiving system in order to attain some
goal, such as gaining unauthorized interactive access to a system
or compromising stored data.
From a position within the network where it is possible to
receive the return traffic (but not necessarily in a position
that is directly in the traffic path), a greater range of
violations is possible. For example, the contents of a message
could be diverted, modified, and then returned to the traffic
flow again, causing a failure of integrity and a possible failure
of confidentiality.
Any compromise using this vulnerability is only possible for TCP
sessions that originate or terminate on the affected Cisco device
itself. It does not apply to TCP traffic that is merely forwarded
through the device.
SOLUTION
The following table summarizes the IOS software releases that are
known to be affected, and the earliest estimated dates of
availability for the recommended fixed versions. Dates are
always tentative and subject to change.
+===========================================================================+
Train Description of Availability of Fixed Releases*
Image or Platform
+===========================================================================+
11.0-based Releases Rebuild Interim** Maintenance
+===========================================================================+
11.0(22a)
11.0 Major GD release
for all platforms 2001-Mar-08
+===========================================================================+
11.1-based Releases Rebuild Interim** Maintenance
+===========================================================================+
11.1(24a)
11.1 Major release for
all platforms 2001-Mar-08
+----------+-----------------+---------------+-----------+------------------+
ED release for Unavailable
11.1AA access servers: Upgrade recommended to 12.1(7), available
1600, 3200, and
5200 series. 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
Platform-specific 11.1(36)CA1
11.1CA support for 7500,
7200, 7000, and
RSP 2001-Mar-02
+----------+-----------------+---------------+-----------+------------------+
ISP train: added
support for FIB, 11.1(36)CC1
11.1CC CEF, and NetFlow
on 7500, 7200, 2001-Mar-02
7000, and RSP
+----------+-----------------+---------------+-----------+------------------+
Added support for 12.0(11)ST2
11.1CT Tag Switching on
7500, 7200, 7000,
and RSP 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
11.1(28a)IA1
11.1IA Distributed
Director only 2001-Feb-26
+===========================================================================+
11.2-based Releases Rebuild Interim** Maintenance
+===========================================================================+
Major release, 11.2(25a) 11.2(25)
11.2 general
deployment 2001-Mar-05 Available
+----------+-----------------+---------------+-----------+------------------+
Platform-specific Unavailable
support for IBM
11.2BC networking, CIP,
and TN3270 on Upgrade recommended to 12.1(7), available
7500, 7000, and 2001-Feb-26
RSP
+----------+-----------------+---------------+-----------+------------------+
Unavailable
11.2F Feature train for
all platforms Upgrade recommended
+----------+-----------------+---------------+-----------+------------------+
Early deployment Unavailable
11.2GS release to Upgrade recommended to 12.0(15)S1,
support 12000 GSR available 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
11.2(25a)P 11.2(25)P
11.2P New platform
support 2001-Mar-05 Available
+----------+-----------------+---------------+-----------+------------------+
Unavailable
11.2SA Catalyst 2900XL Upgrade recommended to 12.1WC, available
switch only
2001-Apr-12
+----------+-----------------+---------------+-----------+------------------+
Unavailable
11.2WA3 LightStream 1010 Upgrade recommended to 12.0(10)W5(20,
ATM switch
available 2001-Feb-28
+----------+-----------------+---------------+-----------+------------------+
Initial release 11.2(25a)P 11.2(25)P
11.2(4)XA for the 1600 and
3600 2001-Mar-05 Available
+----------+-----------------+---------------+-----------+------------------+
Initial release
for the 5300 and 11.2(25a)P 11.2(25)P
11.2(9)XA digital modem
support for the 2001-Mar-05 Available
3600
+===========================================================================+
11.3-based Releases Rebuild Interim** Maintenance
+===========================================================================+
11.3(11b)
11.3 Major release for
all platforms 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
ED for dial
platforms and 11.3(11a)AA
11.3AA access servers:
5800, 5200, 5300, 2001-Mar-05
7200
+----------+-----------------+---------------+-----------+------------------+
Early deployment Unavailable
11.3DA train for ISP Upgrade recommended to 12.1(5)DA1,
DSLAM 6200
platform available 2001-Mar-19
+----------+-----------------+---------------+-----------+------------------+
Early deployment
train for Unavailable
ISP/Telco/PTT
11.3DB xDSL broadband
concentrator Upgrade recommended to 12.1(4)DB1,
platform, (NRP) available 2001-Feb-28
for 6400
+----------+-----------------+---------------+-----------+------------------+
Short-lived ED
11.3HA release for ISR Vulnerable
3300 (SONET/SDH
router)
+----------+-----------------+---------------+-----------+------------------+
MC3810 11.3(1)MA8
11.3MA functionality
only 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
Voice over IP, Unavailable
11.3NA media Upgrade recommended to 12.1(7), available
convergence,
various platforms 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
Early deployment 11.3(11b)T1
11.3T major release,
feature-rich for
early adopters 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
Multilayer
Switching and Unavailable
Multiprotocol
over ATM
11.3WA4 functionality for
Catalyst 5000 Upgrade recommended to 12.0(14)W5(20),
RSM, 4500, 4700, available 2001-Feb-28
7200, 7500,
LightStream 1010
+----------+-----------------+---------------+-----------+------------------+
11.3(11b)T1
11.3(2)XA Introduction of
ubr7246 and 2600 2001-Mar-05
+===========================================================================+
12.0-based Releases Rebuild Interim** Maintenance
+===========================================================================+
General 12.0(15)
12.0 deployment
release for all
platforms Available
+----------+-----------------+---------------+-----------+------------------+
Unavailable
12.0DA xDSL support: Upgrade recommended to 12.1(5)DA1,
6100, 6200
available 2001-Mar-19
+----------+-----------------+---------------+-----------+------------------+
General Unavailable
12.0DB deployment Upgrade recommended to 12.1(4)DB1,
release for all
platforms available 2001-Feb-28
+----------+-----------------+---------------+-----------+------------------+
General Unavailable
12.0DC deployment Upgrade recommended to 12.1(4)DC2,
release for all
platforms available 2001-Feb-28
+----------+-----------------+---------------+-----------+------------------+
12.0(14)S1 12.0(14.6)S
12.0S Core/ISP support:
GSR, RSP, c7200 Available Available
+----------+-----------------+---------------+-----------+------------------+
12.0(15)SC1
12.0SC Cable/broadband
ISP: ubr7200 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
12.0(14)SL1
12.0SL 10000 ESR: c10k
2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
General 12.0(11)ST2
12.0ST deployment
release for all
platforms 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
12.0(5c)E8
12.0SX Early Deployment
(ED) 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
Early Unavailable
Deployment(ED):
12.0T VPN, Distributed
Director, various Upgrade recommended to 12.1(7), available
platforms 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
Catalyst
switches:
cat8510c, 12.0(14)W5(20)
cat8540c, c6msm,
ls1010, cat8510m,
12.0W5 cat8540m, c5atm,
c5atm, c3620,
c3640, c4500,
c5rsfc, c5rsm, 2001-Feb-28
c7200, rsp,
cat2948g, cat4232
+----------+-----------------+---------------+-----------+------------------+
General 12.0(13)WT6(1)
12.0WT deployment
release for all
platforms 2001-Feb-20
+----------+-----------------+---------------+-----------+------------------+
Early Deployment Unavailable
12.0XA (ED): limited Upgrade recommended to 12.1(7), available
platforms 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
Short-lived early Unavailable
12.0XB deployment Upgrade recommended to 12.1(7), available
release 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
Early Deployment Unavailable
12.0XC (ED): limited Upgrade recommended to 12.1(7), available
platforms 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
Early Deployment Unavailable
12.0XD (ED): limited Upgrade recommended to 12.1(7), available
platforms 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
Early Deployment Unavailable
12.0XE (ED): limited Upgrade recommended to 12.1(5)E8,
platforms available 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
Early Deployment Unavailable
12.0XF (ED): limited Upgrade recommended to 12.1(7), available
platforms 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
Early Deployment Unavailable
12.0XG (ED): limited Upgrade recommended to 12.1(7), available
platforms 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
Early Deployment 12.0(4)XH5
12.0XH (ED): limited
platforms 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
Early Deployment Unavailable
12.0XI (ED): limited Upgrade recommended to 12.1(7), available
platforms 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
Early Deployment Unavailable
12.0XJ (ED): limited Upgrade recommended to 12.1(7), available
platforms 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
Early Deployment 12.0(7)XK4
12.0XK (ED): limited
platforms 2001-Mar-19
+----------+-----------------+---------------+-----------+------------------+
Early Deployment 12.0(4)XH5
12.0XL (ED): limited 12.1(7)
platforms 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
Short-lived early 12.0(5)XM1
12.0XM deployment
release 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
Early Deployment
12.0XN (ED): limited
platforms
+----------+-----------------+---------------+-----------+------------------+
Early Deployment Unavailable
12.0XP (ED): limited Upgrade recommended to 12.1WC, available
platforms 2001-Apr-12
+----------+-----------------+---------------+-----------+------------------+
Short-lived early Unavailable
12.0XQ deployment Upgrade recommended to 12.1(7), available
release 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
Short-lived early Unavailable
12.0XR deployment Upgrade recommended to 12.1(5)T5,
release available 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
Short-lived early Unavailable
12.0XS deployment Upgrade recommended to 12.1(5)E8,
release available 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
Early Deployment Unavailable
12.0XU (ED): limited Upgrade recommended to 12.1WC, available
platforms 2001-Apr-12
+----------+-----------------+---------------+-----------+------------------+
Short-lived early Unavailable
12.0XV deployment Upgrade recommended to 12.1(5)T5,
release available 2001-Mar-05
+===========================================================================+
12.1-based and Later
Releases Rebuild Interim** Maintenance
+===========================================================================+
General 12.1(7)
12.1 deployment
release for all
platforms Available
+----------+-----------------+---------------+-----------+------------------+
12.1(7)AA
12.1AA Dial support
2001-Mar-12
+----------+-----------------+---------------+-----------+------------------+
12.1(5)DA1 12.1(6)DA
12.1DA xDSL support:
6100, 6200 2001-Feb-28 Available
+----------+-----------------+---------------+-----------+------------------+
12.1(4)CX
12.1CX Core/ISP support:
GSR, RSP, c7200 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
General 12.1(4)DB1
12.1DB deployment
release for all
platforms 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
General 12.1(4)DC2
12.1DC deployment
release for all
platforms 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
12.1(5c)E8 12.1(5.6)E
12.1E Core/ISP support:
GSR, RSP, c7200 2001-Mar-5
+----------+-----------------+---------------+-----------+------------------+
12.1(5)EC1 12.1(4.5)EC
12.1EC Core/ISP support:
GSR, RSP, c7200 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
12.1(5c)EX
12.1EX Core/ISP support:
GSR, RSP, c7200 2001-Mar-5
+----------+-----------------+---------------+-----------+------------------+
Early
Deployment(ED): 12.1(5)T5
12.1T VPN, Distributed
Director, various 2001-Mar-05
platforms
+----------+-----------------+---------------+-----------+------------------+
Early Deployment 12.1(5)T5
12.1XA (ED): limited
platforms 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
Early Deployment 12.1(5)T5
12.1XB (ED): limited
platforms 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
Early Deployment 12.1(5)T5
12.1XC (ED): limited
platforms 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
Early Deployment 12.1(5)T5
12.1XD (ED): limited
platforms 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
Early Deployment 12.1(5)T5
12.1XE (ED): limited
platforms 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
Early Deployment 12.1(2)XF3
12.1XF (ED): 811 and 813
(c800 images) 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
Early Deployment 12.1(3)XG3
12.1XG (ED): 800, 805,
820, and 1600 Available
+----------+-----------------+---------------+-----------+------------------+
Early Deployment 12.1(2)XH1
12.1XH (ED): limited
platforms 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
Early Deployment 12.1(3)XI6
12.1XI (ED): limited
platforms 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
Early Deployment Indeterminate
12.1XJ (ED): limited
platforms Unscheduled
+----------+-----------------+---------------+-----------+------------------+
Early Deployment 12.1(5)T5
12.1XK (ED): limited
platforms 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
Early Deployment 12.1(3)XL1
12.1XL (ED): limited
platforms 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
Short-lived early 12.1(5)XM1
12.1XM deployment
release 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
Early Deployment 12.1(3)XP3
12.1XP (ED): 1700 and
SOHO 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
Short-lived early 12.1(3)XQ1
12.1XQ deployment
release 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
Short-lived early 12.1(5)XR1
12.1XR deployment
release 2001-Feb-20
+----------+-----------------+---------------+-----------+------------------+
Short-lived early 12.1(5)XS
12.1XS deployment
release 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
12.1(3)XT1
12.1XT Early Deployment
(ED): 1700 series Available
+----------+-----------------+---------------+-----------+------------------+
Early Deployment 12.1(5)XU1
12.1XU (ED): limited
platforms 2001-Feb-15
+----------+-----------------+---------------+-----------+------------------+
Short-lived early 12.1(5)XV1
12.1XV deployment
release 2001-Mar-05
+----------+-----------------+---------------+-----------+------------------+
Short-lived early 12.1(5)XW2
12.1XW deployment
release 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
Short-lived early 12.1(5)XX3
12.1XX deployment
release 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
Short-lived early 12.1(5)XY4
12.1XY deployment
release 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
Short-lived early 12.1(5)XZ2
12.1XZ deployment
release 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
Short-lived early 12.1(5)YA1
12.1YA deployment
release 2001-Feb-28
+----------+-----------------+---------------+-----------+------------------+
Short-lived early 12.1(5)YB
12.1YB deployment
release 2001-Feb-13
+----------+-----------------+---------------+-----------+------------------+
Short-lived early 12.1(5)YC1
12.1YC deployment
release 2001-Feb-26
+----------+-----------------+---------------+-----------+------------------+
Short-lived early 12.1(5)YD
12.1YD deployment
release 2001-Mar-12
+===========================================================================+
Notes
+===========================================================================+
* All dates are estimated and subject to change.
** Interim releases are subjected to less rigorous testing than regular
maintenance releases, and may have serious bugs.
+===========================================================================+
There is no specific configurable workaround to directly address
the possibility of predicting a TCP Initial Sequence Number. To
prevent malicious use of this vulnerability from inside the
network, ensure that transport that makes interception and
modification detectable, if not altogether preventable, is in use
as appropriate. Examples include using IPSEC or SSH to the Cisco
device for interactive session, MD5 authentication to protect BGP
sessions, strong authentication for access control, and so on.
Malicious use of this vulnerability from a position outside the
administrative boundaries of the network can be mitigated, if not
prevented entirely, by using access control lists to prevent the
injection of packets with forged source or destination IP
addresses.